Forums

Is Chronoforms subject to Injection Vulnerabilities?

I'm running Joomla 1.5 and my only public data entry is via url requests and Chronoforms. Is there anything I can or should do to protect against hackers and automated injection attacks?

reference: http://www.securityfocus.com/bid/29936

I know of a couple of organizations that have spent days rebuilding (their non-joomla sites) because of injection attacks.

I'm new to joomla and to chronoforms. Does anyone have any experience with this?

Hi cms_sea,

Keep your Joomla updated. I notice that 1.5.2 and 1.5.3 aren't on the list you quoted. But that may be because they forgot to list them. Joomla 1.5 was a complete re-write from the Mambo code used in Joomla 1.0 so I'd be a little surprised if the same vulernability existed in both.

ChronoForms relies on the Joomla security for the most part so the best place to ask and keep up to date is the Joomal forums.

Bob

I have seen error in form submissions due to pasting a single-quote into a field. This is using 3.0 J1.5 BETA 1, I have not updated yet to the stable release, but since the SQL code is generated it probably still applies.

The SQL INSERT which is used to save a form is _not_ part of the Joomla codebase? Could the interpretation of the SQL from a variable may actually mask the intended security feature of getVar(), to wit, preventing injection attacks?

Here is a snippet of the debugging message:

500 - JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's implementation of material. Briefly tell exactly what you did during the day, ' at line 2 SQL=INSERT INTO jos_chronoforms_10 VALUES ( '' , 'IZDQzYjhjMWM4MGU2','2008-10-28 - 10:22:03', '66.26.88.147' , 'Mitch Amiano' , 'Maximize Product Mix: Linear Programming - Maximization' , '10/12/2008 - 10/30/2008' , '8' , '80' , 'Please describe each day's implementation of material. Briefly tell exactly what you did during the day, whether you used lecture or groups or individual time, whether you used computers, and what homework assigned. (Each Day will be a whole page on the online survey)' , 'Day 2. Please describe each day's implementation of material. Briefly tell exactly what you did during the day, whether you used lecture or groups or individual time, whether

That strongly suggests that the single quote was interpreted as a delimiter by the SQL engine, which is not good.

Hi mamiano,

I can't remember but before BETA 1 or BETA 2 the way the data is inserted has changed, from normal SQL insert query to a complete class handling the joomla codebase, if you have a tab called "DB connection" in the form edit page then you are using the joomla one, if not then this is the old method, at both cases you need to upgrade then retest and let me know the results, V3.0 stable had many fixes and improvements to work very well with J1.5

Cheers,
Max

Removed by admin

Hi nfnitloop,

Thanks for the warning. I hven't seen this before, I don't know if Max has.

Bob

Hi nfnitloop,

Thanks for the warning, I will take a deep look into the issue, I will remove your post from here for safety and get back to you in a PM

regarding the other issue, it has been fixed since that old version!

Regards
Max